Re: Naptha - New DoS

[Jose Nazario <jose () BIOCSERVER BIOC CWRU EDU>]

On Fri, 8 Dec 2000, Lincoln Yeoh wrote:

> I find it interesting that Redhat 7.0 is said to be not affected
> whereas Redhat 6.1 is. Why is that the case? Is it a configuration
> issue on 6.1?

the use of xinetd in RH7 (RH6.2 and previous used inetd) is the trick
there. bear in mind that if you have either ssh (i think openssh has a
MaxClients type parameter i discussed on BUGTRAQ last year, a friend
submitted the patch) or Apache listening outside of xinetd, you can be
attacked.

Solar Designer (http://www.openwall.com/) has a patch against older
versions of xinetd that limit per IP connections. simple spoofing will get
around it, though.

i wrote some documentation on xinetd:

http://cwrulug.cwru.edu/archive/cwrulug/200011/0043.html

i've been using it for some years now and its stopped process table
attacks very well. naptha should also be stoppable by xinetd, with the
exception of apache (you *don't* want apache in xinetd, it takes too long
to handle requests).

____________________________
jose nazario                                                 jose () cwru edu
                     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)